Download 116d92f036f68d325068f3c7bbf1d535 - Project.pdf as a password protected archive (please contact me if you need the password)
Update Jan. 22, 2010 - CW Sandbox analysis kindly provided by TarunKumar Singh (below)
-----Original
Message-----
From: XXXXX (Real name here)
[mailto:XXXXXX@state.gov]
Sent: 2010-01-13 1:17
AM
To: XXXXXX
Subject: Re: Project
Importance: High
Dear
I will bring your email
to his attention at
that time.
With regards,
Lesley Rich
Header:
Received: (qmail 6296 invoked from network); 13 Jan 2010 06:17:21 -0000Received: from unknown (HELO state.gov) (115.92.107.178)
by XXXXXXXXXXX
Received: from ¼òÌå²âÊÔ (unknown [192.168.7.110])
by 192.168.7.110 (Coremail) with SMTP id _bJCALesoEAeAFMU.1
for XXXXXXXXXXXXX Wed, 13 Jan 2010 14:17:15 +0800 (CST)
X-Originating-IP: [192.168.7.110]
Date: Wed, 13 Jan 2010 14:17:15 +0800
From: "=?GB2312?B?QnJlbW5lciwgU3VlIEw=?="
Subject: =?GB2312?B?UmU6IFByb2plY3Q=?=
To: XXXXXXXXXXXXXXXXXXX
X-Priority: 1
X-mailer: FastMail 1.5 [cn]
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="------=_Next_Part_0019055250.467"
Hostname: 115.92.107.178
ISP: LG DACOM Corporation
Organization: LG DACOM Corporation
Type: Cable/DSL
Country: Korea, Republic of
State/Region: 11
City: Seoul
Latitude: 37.5664
Longitude: 126.9997
This file was already analyzed
http://www.virustotal.com/analisis/ac3849e1c3ddf124f17c2ed7e8d3463fda2a37116d711a99b82c743c0c1a32ac-1263106258
http://www.virustotal.com/analisis/ac3849e1c3ddf124f17c2ed7e8d3463fda2a37116d711a99b82c743c0c1a32ac-1263938027
File Project.pdf received on 2010.01.19 21:53:47 (UTC)
Result: 18/41 (43.90%)
a-squared 4.5.0.50 2010.01.19 Exploit.JS.Pdfka!IK
Authentium 5.2.0.5 2010.01.19 PDF/Expl.FO
BitDefender 7.2 2010.01.19 Exploit.PDF-JS.Gen
CAT-QuickHeal 10.00 2010.01.19 Expoit.PDF.FlateDecode
ClamAV 0.94.1 2010.01.19 Exploit.PDF-9757
Comodo 3640 2010.01.19 UnclassifiedMalware
DrWeb 5.0.1.12222 2010.01.19 Exploit.PDF.687
eSafe 7.0.17.0 2010.01.19 Win32.Pidief.H
F-Secure 9.0.15370.0 2010.01.19 Exploit.PDF-JS.Gen
GData 19 2010.01.19 Exploit.PDF-JS.Gen
Ikarus T3.1.1.80.0 2010.01.19 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.01.19 Exploit.JS.Pdfka.adn
McAfee-GW-Edition 6.8.5 2010.01.19 Heuristic.BehavesLike.PDF.Shellcode.Z
Microsoft 1.5302 2010.01.19 Exploit:JS/Heapspray
nProtect 2009.1.8.0 2010.01.19 Exploit.PDF-JS.Gen.C02
PCTools 7.0.3.5 2010.01.19 Trojan.Pidief
Symantec 20091.2.0.41 2010.01.19 Trojan.Pidief.H
TrendMicro 9.120.0.1004 2010.01.19 TROJ_PDFKA.AK
Additional information
File size: 149706 bytes
MD5 : 116d92f036f68d325068f3c7bbf1d535
Vicheck.ca has this file under a different name alreadyResult: 18/41 (43.90%)
a-squared 4.5.0.50 2010.01.19 Exploit.JS.Pdfka!IK
Authentium 5.2.0.5 2010.01.19 PDF/Expl.FO
BitDefender 7.2 2010.01.19 Exploit.PDF-JS.Gen
CAT-QuickHeal 10.00 2010.01.19 Expoit.PDF.FlateDecode
ClamAV 0.94.1 2010.01.19 Exploit.PDF-9757
Comodo 3640 2010.01.19 UnclassifiedMalware
DrWeb 5.0.1.12222 2010.01.19 Exploit.PDF.687
eSafe 7.0.17.0 2010.01.19 Win32.Pidief.H
F-Secure 9.0.15370.0 2010.01.19 Exploit.PDF-JS.Gen
GData 19 2010.01.19 Exploit.PDF-JS.Gen
Ikarus T3.1.1.80.0 2010.01.19 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.01.19 Exploit.JS.Pdfka.adn
McAfee-GW-Edition 6.8.5 2010.01.19 Heuristic.BehavesLike.PDF.Shellcode.Z
Microsoft 1.5302 2010.01.19 Exploit:JS/Heapspray
nProtect 2009.1.8.0 2010.01.19 Exploit.PDF-JS.Gen.C02
PCTools 7.0.3.5 2010.01.19 Trojan.Pidief
Symantec 20091.2.0.41 2010.01.19 Trojan.Pidief.H
TrendMicro 9.120.0.1004 2010.01.19 TROJ_PDFKA.AK
Additional information
File size: 149706 bytes
MD5 : 116d92f036f68d325068f3c7bbf1d535
https://www.vicheck.ca/md5query.php?hash=116d92f036f68d325068f3c7bbf1d535
kernel32, ExitProcess, Javascript obfuscation using unescape, , Javascript obfuscation using unescape, , Javascript possible obfuscation using unescape, , PDF Exploit call to media.newPlayer, , , ,
Wepawet
http://wepawet.iseclab.org/view.php?hash=116d92f036f68d325068f3c7bbf1d535&type=js
File Project.pdf
Analysis Started 2010-01-19 14:15:12
Report Generated 2010-01-19 14:16:24
Jsand 1.03.02 benign
Here is CW Sandbox analysis kindly provided by TarunKumar Singh
Created Files...
- File: C:\DOCUME~1\ADMINI~1\LOCALS~1\
Temp\1.exe - File Type: file
- Source File Hash: 88fd19e48625e623a4d6abb5d5b784
45 - Creation/Distribution: CREATE_ALWAYS
- Desired Access: FILE_ANY_ACCESS
- Share Access: FILE_SHARE_WRITE
- Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
- Stored as: 88fd19e48625e623a4d6abb5d5b784
45.exe
- File: C:\DOCUME~1\ADMINI~1\LOCALS~1\
Temp\ÄêÙR×´.pdf - File Type: file
- Source File Hash: dc0a02619771b5d2d0887267c67b87
a6 - Creation/Distribution: CREATE_ALWAYS
- Desired Access: FILE_ANY_ACCESS
- Share Access: FILE_SHARE_WRITE
- Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
- Stored as: dc0a02619771b5d2d0887267c67b87
a6.pdf
Store Created Files Section...
- Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\
Temp\1.exe (36974 Bytes.) - Destination: 88fd19e48625e623a4d6abb5d5b784
45.exe
- Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\
Temp\ÄêÙR×´.pdf (57536 Bytes.) - Destination: dc0a02619771b5d2d0887267c67b87
a6.pdf
- Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\
- Created Keys...
- Key: HKEY_LOCAL_MACHINE\System\
WSZXSGANXFJVAYSXYQGNXKQY
- Key: HKEY_LOCAL_MACHINE\System\
- Open Keys...
- Key: HKEY_LOCAL_MACHINE\SOFTWARE\
Adobe\Acrobat Reader\8.0\ORO
- Key: HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\ Session Manager\Memory Management\PrefetchParameters
- Key: HKEY_LOCAL_MACHINE\SOFTWARE\
No comments:
Post a Comment